HIPAA Compliance for Medical Practices
63.8K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

10 common HIPAA violations and preventative measures to keep your practice in compliance

10 common HIPAA violations and preventative measures to keep your practice in compliance | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA law to protect patient health information is quite well known by personnel in most physician offices. There still remain, however, some questions regarding HIPAA's rules and regulations. Providers who are not up to date with changes in the law risk potential violation that could not only damage a practice's reputation but cause criminal and civil fines.

The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, was established in 1996 to set national standards for the confidentiality, security, and transmissibility of personal health information.

Healthcare providers are required, under the HIPAA Privacy Rule, to protect and keep confidential any personal health information. It also sets limits and conditions on its use and disclosure without patient authorization. The Rule also gives patients rights to their health information, including rights to obtain a copy of their medical records, and request corrections.

HIPAA does have exceptions to the rule, however, such as if it hindered the ability to provide quality healthcare services. One example is discussion between two physicians who are both treating a patient. In addition, peer reviewed activities, disclosures needed by health plans to resolve billing questions, and other similar situations are exempted.

The Department of Health and Human Services defines covered entities as healthcare providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, those affected by HIPAA does not end there.

HIPAA violations can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license.

We list below some of the more common reasons for HIPAA violation citations:

1. Employees disclosing information – Employees' gossiping about patients to friends or coworkers is also a HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.

2. Medical records mishandling – Another very common HIPAA violation is the mishandling of patient records. If a practice uses written patient charts or records, a physician or nurse may accidentally leave a chart in the patient's exam room available for another patient to see. Printed medical records must be kept locked away and safe out of the public's view.

3. Lost or Stolen Devices – Theft of PHI (protected health information) through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information can result in HIPAA fines. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.

4. Texting patient information – Texting patient information such as vital signs or test results is often an easy way that providers can relay information quickly. While it may seem harmless, it is potentially placing patient data in the hands of cyber criminals who could easily access this information. There are new encryption programs that allow confidential information to be safely texted, but both parties must have it installed on their wireless device, which is typically not the case.

5. Social Media - Posting patient photos on social media is a HIPAA violation. While it may seem harmless if a name is not mentioned, someone may recognize the patient and know the doctor's specialty, which is a breach of the patient's privacy. Make sure all employees are aware that the use of social media to share patient information is considered a violation of HIPAA law.

6. Employees illegally accessing patient files - Employees accessing patient information when they are not authorized is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. Also, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.

7. Social breaches - An accidental breach of patient information in a social situation is quite common, especially in smaller more rural areas. Most patients are not aware of HIPAA laws and may make an innocent inquiry to the healthcare provider or clinician at a social setting about their friend who is a patient. While these types of inquiries will happen, it is best to have an appropriate response planned well in advance to reduce the potential of accidentally releasing private patient information.

8. Authorization Requirements - A written consent is required for the use or disclosure of any individual's personal health information that is not used for treatment, payment, healthcare operations, or permitted by the Privacy Rule. If an employee is not sure, it is always best to get prior authorization before releasing any information.

9. Accessing patient information on home computers – Most clinicians use their home computers or laptops after hours from time to time to access patient information to record notes or follow-ups. This could potentially result in a HIPAA violation if the screen is accidentally left on and a family member uses the computer. Make sure your computer and laptop are password protected and keep all mobile devices out of sight to reduce the risk of patient information being accessed or stolen.

10. Lack of training - One of the most common reasons for a HIPAA violation is an employee who is not familiar with HIPAA regulations. Often only managers, administration, and medical staff receive training although HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained. Compliance training is one of the most proactive and easiest ways to avoid a violation.

The privacy and security of patient health information should be a priority for all healthcare clinicians and medical professionals. Make sure your materials are current, update your manuals, and conduct annual HIPAA training to prevent potential violations. Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA Confusion Leading to Litigation: Health Care Providers May Continue to Charge State Fee Schedules for Third-Party Medical Record Requests

Recent changes to HIPAA have led to confusion, with a significant number of attorneys claiming that they are entitled to a lower “HIPAA rate” for copies of medical records. While the issue may seem arcane, this confusion is becoming the subject of litigation against covered entities and their release-of-information vendors.

HIPAA permits covered entities to disclose health information to attorneys in numerous situations, such as in response to an individual’s authorization, subpoena, and court orders that meet the HIPAA requirements. The term “individual” is defined to mean the person who is the subject of the information. In these situations, covered entities may charge a fee for providing a copy of the individual’s record. These fees usually are established by state law. Since the Privacy Rule was finalized in December 2000, the right for individuals to access their own health information (under 45 C.F.R. § 164.524(c)(4)) has restricted the fees that a covered entity may charge an individual for protected health information maintained in a “designated record set,” which generally includes medical records and billing records. Under this limited Privacy Rule section, a health care provider may charge an individual only a “reasonable, cost-based fee” for a copy of the individual’s medical record. HIPAA has and continues to provide that covered entities may charge third parties, including attorneys that do not qualify as personal representatives, the fee schedule established under state law. In the commentary to the December 2000 Privacy Rule, the U.S. Department of Health and Human Services (“HHS”) made clear that it did “not intend to affect the fees that covered entities charge for providing protected health information to anyone other than the individual.” 65 Fed. Reg. 82,557 (Dec. 28, 2000).

In the preamble commentary to 2002 amendments to the Privacy Rule, HHS reiterated this position. In response to concerns that HIPAA restricted the amount that could be charged to attorneys and other third parties, HHS stated:

[HHS] clarifies that the Rule, at § 164.524(c)(4), limits only the fees that may be charged to individuals, or to their personal representatives in accordance with § 164.502(g), when the request is to obtain a copy of protected health information about the individual in accordance with the right of access. The fee limitations in § 164.524(c)(4) do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment or health care operations, disclosures that are based on an individual’s authorization that is valid under § 164.508, or other disclosures permitted without the individual’s authorization as specified in § 164.512.

67 Fed. Reg. 53,254 (Aug. 14, 2002).

The 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act and a related rule (commonly known as the HIPAA Omnibus Rule) recently have created some confusion in this area. Part of this confusion may stem from the Privacy Rule permitting an individual to direct a covered entity to send a copy of the medical record to a third party. 45 C.F.R. § 164.524(c)(3)(ii). Or it may be the Omnibus Rule’s clarification that a covered entity may not charge an individual a fee established under state law when the fee is more than the actual cost of copying the medical record. 78 Fed. Reg. 5636 (Jan. 25, 2013). Whatever the source of confusion, an increasing number of attorneys (such as attorneys in malpractice cases) are claiming that they are entitled to the “HIPAA rate” rather than the fee established under state law.

To the contrary, HIPAA continues to permit covered entities to charge third-party requestors the fees established under state law. First, the regulations governing fees for providing copies of protected health information continue to only govern requests from individuals. Section 164.524(c)(4), which limits fees to a reasonable, cost-based amount, only applies “[i]f the individual requests a copy of the protected health information.” Similarly, while the HITECH Act and Omnibus Rule clarify that an individual may have a copy of the medical record sent to a designated third party, this right only applies to “an individual’s request for access.” See 45 C.F.R. § 164.524(c)(3)(ii). While the preamble discussion clarifies that a covered entity may not charge the state-authorized fee if in excess of the covered entity’s costs, this discussion is in reference to requests from individuals (rather than from third parties). 78 Fed. Reg. 5636 (Jan. 25, 2013).

Second, third-party requests for medical records are subject to a limit on the sale of protected health information (added pursuant to the HITECH Act), which explicitly permits the covered entity (or its business associate) to charge “a fee otherwise expressly permitted by other law.” See 45 C.F.R. § 164.502(a)(5)(ii)(B)(2)(viii). In the commentary to the HIPAA Omnibus Rule, HHS clarifies that business associates, such as release-of-information vendors, may continue to charge third parties those fees permitted under state law:

For example, a number of commenters stated that covered entities often outsource to release of information (ROI) vendors the processing of requests for copies of medical records from third parties and that these vendors and not the covered entities bill for the reasonable costs of providing the records to the requestors. Commenters asked that the final rule clarify that business associates can continue to receive payment of costs from third parties for providing this service on behalf of covered entities.

* * * * *

[W]e add the term “business associate” in the general exception permitting reasonable, cost-based fees to prepare and transmit data (or fees permitted by state laws) to make clear that business associates may continue to recoup fees from third party record requestors for preparing and transmitting records on behalf of a covered entity, to the extent such fees are reasonable, cost-based fees to cover the cost to prepare and transmit the protected health information or otherwise expressly permitted by other law.

78 Fed. Reg. 5606 (Jan. 25, 2013).

Accordingly, third-party requests for medical records, including attorneys’ requests, continue to be subject to fees established under state law. A request from an attorney qualifies for the “HIPAA rate” rather than the state-authorized fee only if the attorney qualifies as the individual’s “personal representative” under HIPAA, meaning that the attorney has authority to act on behalf of the patient with respect to making decisions related to health care (i.e., treatment decisions). See 45 C.F.R. § 164.502(g). HHS has clarified that “an attorney of an individual may or may not be a personal representative under the rule depending on the attorney’s authority to act on behalf of the individual in decisions related to health care.” 65 Fed. Reg. 82,651 (Dec. 28, 2000). The mere fact that an attorney represents an individual in litigation does not mean that the attorney has authority to act on behalf of the individual in decisions related to health care.

When a covered entity receives a request from an attorney or other third party who is not the individual’s personal representative under HIPAA, the covered entity should continue to require a HIPAA-compliant authorization (or otherwise meet the requirements for a disclosure, such as going through the subpoena or court order process) and the covered entity or its release-of-information company may continue to charge the state-authorized copying rate.


more...
No comment yet.
Scoop.it!

HIPAA breach puts blame on business associate

HIPAA breach puts blame on business associate | HIPAA Compliance for Medical Practices | Scoop.it

A New York healthcare provider is notifying its patients that their medical data has been compromised after one of its business associates reported the theft of an employee-owned laptop and unencrypted smartphone.    The New York-based Senior Health Partners, part of the Healthfirst health plan, has mailed out breach notification letters to 2,700 of its members after discovering that a laptop and mobile phone belonging to a registered nurse employed by its business associates were reported stolen.    Officials say the nurse's laptop, which was stolen back on Nov. 26, was encrypted, but the encryption key was in the laptop bag that was taken. The mobile phone stolen was neither encrypted nor password-protected. The nurse was employed by Senior Health Partners' business associated with Premier Home Health, which notified the long-term care provider on Dec. 10. Affected patients were mailed notification letters Jan. 30.    An investigation into the theft found that the privately-owned laptop included a "potentially accessible" email, containing patient names, demographics, Social Security numbers, Medicaid IDs, dates of birth, clinical diagnoses and treatment information and health insurance claim numbers. "Senior Health Partners sincerely regrets that this incident occurred," read a Jan. 30 press statement. "It takes the privacy and security of members' health information very seriously and expects its vendors to do the same. SHP values the trust its members have placed in it as their health plan, and it is SHP's priority to reassure its members that it is taking steps to ensure its members' information is protected."   Asked what Senior Health Partners' policy was around encryption and using privately owned devices for work purposes, Healthcare IT News did not receive a response before publication time.    To date, nearly 42 million individuals have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.


more...
No comment yet.
Scoop.it!

VoIP Phones and HIPAA Compliance

VoIP Phones and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

So, what about your VoIP phone system? Many organizations have migrated to VoIP service.  VoIP (or “Voice over Internet Protocol”) is a method for taking analog audio signals and turning them into digital data that can be transmitted over the Internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?

By definition, electronic PHI is data which is transmitted or maintained on electronic media. Electronic media is defined as either:

  1. Electronic storage material, which includes, for example, computer hard drives, or
  2. Transmission media, which includes, for example, the internet. Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.

Note the words in red which were represent changes made to the rule in 2013. For VoiP systems that do not include voice mail (this eliminates just about all VoiP systems) there might be opportunity for debate whether the information in VoiP systems met the definition of ePHI.  However, voice mails are clearly stored on computer hard drives or other electronic storage material.

What features does HIPAA look for with VoIP software that processes ePHI?   The implementation specifications in the HIPAA rule that apply to software include:

  1. Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone. A certificate installed on the phone is used for authentication using PKI.
  2. Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
  3. Audit logs. The system should record call meta data, as well as any details regarding any administrative activities performed by an authenticated user.
  4. Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
  5. Business Associate Agreement (for cloud providers). When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.

It is not surprising that some cloud VoiP vendors offer interpretations of HIPAA which claim that their services and VoiP phone technology falls under the so-called “conduit exception”. The “conduit exception” excludes organizations that provide mere courier services including the U.S Postal Service, or internet service providers.  For an excellent post regarding this narrow exception.

The takeaway – include your VoIP phone system in application inventory, assess risks during your risk assessment, conduct the appropriate security evaluation and document compliance.


more...
No comment yet.
Scoop.it!

How to Prepare for the Risk Assessment HIPAA Requires

How to Prepare for the Risk Assessment HIPAA Requires | HIPAA Compliance for Medical Practices | Scoop.it
My brother-in-law retired a few years ago after more than three decades in private practice. He ran his busy office the old fashioned way — without computers. His patients’ records were kept in manila folders filed in a wall of shelves. In longhand, his office manager recorded appointments in a big black book and kept track of accounts in a ledger tucked into a backroom drawer.

Today when I sat down to blog here about how to prepare for a risk analysis/risk assessment (the terms are interchangeable), I couldn’t help but think about my brother-in-law’s healthcare office and how its methods of dealing with patient information differed from most modern practices. I bring this up only to bring home an important point to keep in mind when setting out to do a risk assessment: Namely, no two healthcare practices have exactly the same information-system components, nor do they manage the flow of information in exactly the same way.

Performing a risk assessment regularly is a required component for HIPAA compliance — a do-it-yourself method of understanding where your healthcare practice might be vulnerable when it comes to keeping Protected Health Information (PHI and ePHI) safe. An intended by-product of a risk assessment is the development of plans and strategies within your office to prioritize and address those vulnerabilities.

Start here

It’s probably safe to say that, unlike my brother-in-law, you run an office that relies on information technology in a variety of ways. To prepare for a risk assessment, here’s what I suggest for you or whoever serves as the Security Officer in your practice: Catalogue the information-system components in the office that come in contact with PHI and ePHI and that play a role in either storing patient health information or transmitting it. Begin by listing:

Hardware – Computers at the front desk, tablets in clinical areas, printers, servers, scanners, modems, PDAs, and smartphones

Software — Operating systems; browsers; software for practice management, billing, EHR, email, and database and office productivity

Network components – Dedicated phone or cable lines, routers and hubs, firewall software and firewall hardware, wireless systems

Charting a course to HIPAA compliance

The next step is to create a simple chart to diagram and better understand how all that stuff works together in collecting, storing, and transmitting patient information. An at-a-glance depiction of the flow of information at your office.

This step is important because HIPAA requires that your assessment of risk be specific to your practice. A chart like this communicates, “This is how we do things here.” It’s also an effective way to get a handle on what needs to be updated and the places and intersections where breaches could occur.

Ready? Set? Assess!

With that flow chart in hand, you’ll have a head start on a thorough risk assessment. And here’s why that’s a good thing. In an online conversation at heathcarefosecurity.com, Verne Rinker, health information privacy specialist at the Office of Civil Rights (OCR), said this about the importance of risk assessment in healthcare practices:

“The number-one suggestion is risk analysis, and risk analysis needs to be comprehensive. It needs to look at all the systems because these are constantly changing as organizations change their IT infrastructure. It needs to be ongoing, which also catches not only the new systems that are coming online, but also catches changes in the existing systems and the existing business lines of entities. And it needs to be a regular part of their business. It needs to be on their corporate radar and in their culture of compliance.”

The topic of risk analysis/risk assessment is so important to HIPAA compliance, it deserves more than one blog. Stay tuned!
more...
No comment yet.
Scoop.it!

Mobile health IT security challenge: way bigger than HIPAA?

Mobile health IT security challenge: way bigger than HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

Wearable technology and other health-related devices were big at the 2015 Consumer Electronics Show (CES) earlier this month. The potential benefits of mobile medical technology and telemedicine are enormous, from better quality of life to saving lives, not to mention controlling healthcare costs. Yet keeping data safe when it is beyond the confines of hospitals and clinics is a serious challenge, one that cannot be met merely through regulatory compliance.

In America, one regulation dominates healthcare information security: the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This was later expanded and updated by the Health Information Technology for Economic and Clinical Health Act of 2003 (the HITECH Act). However, being HIPAA and HITECH compliant is not the same as being secure, I have recorded a webinar to explain why. I also lay out the reasons for thinking that the protection of mHealth data, that is health data handled by mobile devices, is a such a big security challenge.


more...
No comment yet.
Scoop.it!

$10 Million Fine in Improper Disposal Case

$10 Million Fine in Improper Disposal Case | HIPAA Compliance for Medical Practices | Scoop.it

The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.

The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California's Confidentiality of Medical Information Act.


Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney's Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.

Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von's, Pavilions and Pak 'n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.

The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.

Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators - who examined retail store waste taken to landfills - found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.

"The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers' confidential medical information," says the Alameda County district attorney's statement. "Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste."

The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or "making indecipherable" patient and other consumer personal information before disposing it, Mifsud says.

"There's a risk of identity theft committed by dumpster divers, and unfortunately by some employees," he says.

Settlement Terms

According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 - the same day the suit was filed by the district attorneys against Safeway - the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California's medical confidentiality laws, Mifsud says.

Also as part of the settlement, the retailer must also "maintain and enhance, as necessary" its customer record destruction program to ensure that confidential medical information is disposed of in a manner that protects individuals' privacy. Plus, it must take several steps related to environmental compliance, including ensuring that its workforce is trained in properly disposing waste.

Court documents do not indicate how many customers' improperly dumped pharmacy records were found by inspectors. Mifsud says it's difficult to estimate the number of patients or pharmacy records that were affected by the improper disposal because the inspections only provided "a snapshot" of the some stores' activities.

Approximately 500 Safeway retail stores and distribution centers in the state must abide by the corrective action terms of the settlement, Mifsud says.

State attorneys started negotiations with Safeway in 2012, when the first violations were first discovered, he says. The suit and settlement documents were both filed in court the same day, Dec. 31, as a formality to those discussions, he explains.

In a statement to ISMG, Safeway says, "We have enhanced [our] programs and added new and supplementary training to ensure strict adherence to the law and to our policies. Safeway will continue to dedicate significant resources to these important programs."

Privacy and security attorney Kathryn Coburn, a partner at law firm Cooke Kobrick LLP, says that the Safeway case is a reminder to all organizations that having policies about protecting sensitive information of patients is not enough; they also need to have procedures for the workforce to follow and training to ensure those procedures are understood.

"Everyone I deal with has policies. But if there are no procedures, and no training, those policies aren't any good," she says.

Other Disposal Cases

The Safeway settlement is not the first time enforcement actions have been taken by regulators against a retailer charged with improper disposal of sensitive medical information.

In a 2010 settlement with the U.S. Department of Health and Human Services, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. Also, a $2.25 million HHS settlement was reached in a similar case against CVS Caremark in February 2009.

And retail pharmacies aren't the only organizations that have been cited by regulators for improper disposal of medical information. For example, HHS' Office for Civil Rights last June announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for 5,000 to 8,000 patients were dumped in the driveway of a physician's home.

Security and privacy attorney Stephen Wu of the law firm Silicon Valley Law Group says OCR could decide to open a HIPAA non-compliance case against Safeway based on the findings by state regulators in their suit against the retailer.

"If I were Safeway's counsel, I'd be advising the company to look for another shoe to drop," Wu says.

Mifsud says he's unaware if OCR is investigating the Safeway matter. OCR did not respond to ISMG's request for comment.


more...
No comment yet.
Scoop.it!

IT Maintenance Crucial for HIPAA Compliance

The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) recently announced an agreement with a medical center to settle charges stemming from the center’s failure to prevent malware from infecting its computers. The malicious programming breached the electronic protected health information (ePHI) of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The medical center was fined $150,000 and agreed to implement a corrective action plan for violating the mandates of HIPAA’s Security Rule. Under the Security Rule, covered entities and business associates must implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and security of ePHI.

According to OCR, the medical center adopted policies to comply with the HIPAA Security Rule, but failed to follow them after putting them to paper. The medical center did not perform an accurate or thorough risk assessment for ePHI, nor did it implement the necessary policies, procedures or technical security measures to prevent unauthorized access to ePHI. Specifically, OCR maintains that the medical center’s failure to identify and address basic risks — e.g., not regularly updating firewalls and running outdated, unsupported software — was the direct cause of the introduction of malicious software into its systems.

In addition to the monetary fine, the medical center agreed to implement a two-year corrective action plan requiring it to —

  • Revise, adopt and distribute updated Security Rule policies and procedures approved by OCR;
  • Develop and provide updated security awareness training — based on training materials approved by OCR — to employees, and update and repeat such training annually;
  • Conduct annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in its possession and document the security measures implemented to address those risks and vulnerabilities;
  • Investigate and report to OCR any violations of its Security Rule policies and procedures by employees; and
  • Submit annual reports to OCR describing its compliance with the corrective action plan.
  • OCR used its announcement to highlight the fact that HIPAA compliance is a continuous process and requires more than establishing initial policies, procedures and systems. Rather, covered entities and business associates will only be able to avoid expensive HIPAA fines and penalties by conducting regular ePHI risk assessments, addressing identified security vulnerabilities and regularly updating HIPAA policies and procedures.

Although technological safeguards are vital to keeping ePHI secure, human error is also a significant threat to patient data security and privacy, making a knowledgeable workforce crucial to HIPAA compliance. Covered entities and business associates can ensure HIPAA compliance with Thomson Reuters’ online training courses on HIPAA Privacy and Security and U.S. Data Privacy and Security. Our online compliance training courses explain the essential principles of HIPAA requirements and of safeguarding individuals’ personal information.


more...
No comment yet.
Scoop.it!

Employees could leave health systems vulnerable to hacks

Employees could leave health systems vulnerable to hacks | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are vulnerable to cyberattacks in many ways, with a big threat being a company or hospital's own employees, according to Ari Baranoff, assistant special agent in charge for the U.S. Secret Service's Criminal Investigative Division.

"Your workforce is a potential vulnerability to your network," Baranoff tells Healthcare IT Security. "Constantly educating your workforce and testing your workforce on their cyberhygiene is very important."

Even if employees mean no harm, just by browsing the Internet or checking their email they can put networks at risk, Baranoff says. It's especially dangerous if these activities are done using the same system that houses electronic health records or other hospital information.

In addition, employee information is also something that often is at risk and can raise problems for hospitals. The Secret Service has seen growing interest in extortion and ransomware campaigns in the healthcare industry, according to Baranoff.

However, a great deal of the threats to health systems come from the outside world, he adds.

For instance, recent breach at Sony Pictures, the health information of employees was hacked, including a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs.

Data breaches are expected to increase in 2015, with healthcare "a vulnerable and attractive target for cybercriminals," according to Experian's 2015 Data Breach Industry Forecast.

Electronic medical records and consumer-generated data from wearables and other devices will continue to add to the vulnerability and complexity in securing personal health information, according to the report.

more...
No comment yet.
Scoop.it!

Patient discharged with paperwork of 20 other patients

Patient discharged with paperwork of 20 other patients | HIPAA Compliance for Medical Practices | Scoop.it
The Medical Center of Aurora in Colorado is under scrutiny for discharging a patient with the paperwork of 20 other patients, according to Fox 31 Denver.

On November 22, 2014, the medical center discharged Karen Billings and included the medical information of 20 other patients in the documentation provided. Billings returned to the medical center where a nurse retrieved other patients’ paperwork. However, upon reviewing her file the following day, Billings found that she was still in possession of seven pages of operating room notes belonging to other patients, Fox 31 Denver reported.

Billings said the paperwork given to her listed patients’ dates of birth, physician names, procedures, and medications. The medical center is offering free identity theft protection for affected patients, according to Fox 31 Denver.
more...
No comment yet.
Scoop.it!

Former Kokomo dentist agrees to fine for violating HIPAA

Former Kokomo dentist agrees to fine for violating HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Former Kokomo dentist Joseph Beck agreed to pay the state $12,000 for disposing of patient files in an Indianapolis Dumpster, the Attorney General’s Office reported Friday.

The Attorney General’s Office sued Beck for failing to protect personal information and for improperly disposing of records containing personal information of Indiana residents, which violates state privacy laws as well as the federal Health Insurance Portability and Accountability Act (HIPAA). This is the first time Indiana has sued for a violation of HIPAA.

More than 60 boxes of patient records from Beck’s former Comfort Dental clinic in Kokomo were found discarded in an Indianapolis Dumpster in March of 2013. The files contained records from 2002-2007.

“In an era when online data breaches are top of mind, we may forget that hard-copy paper files, especially in a medical context, can contain highly sensitive information that is ripe for identity theft or other crimes,” Attorney General Greg Zoeller said in a news release.

“This file dump was an egregious violation of patient privacy and safety.”

Beck agreed to a consent judgment with the state, in which he will pay a $12,000 penalty for these violations. The order was signed this week in Marion County court.

In December of 2011, the Indiana Board of Dentistry permanently revoked Beck’s license to practice dentistry, following an investigation by the Attorney General’s Office that cited fraudulent billing and negligence, the news release stated.

In March of 2013, Beck hired private company Just the Connection, Inc. to retrieve and dispose of his patient records, which included names, medical records, phone numbers, birth dates, Social Security numbers, insurance cards, insurance information and state ID numbers.

The Attorney General said less than a week later, 63 boxes of patient records were found in a Dumpster at Olive Branch Christian Church on the south side of Indianapolis. The Attorney General’s Office recovered the files and fielded inquiries from individuals who were concerned that their records might be at risk. No identity theft was identified or reported.

Zoeller recently proposed new legislation that aims to prevent data breaches and identity theft, and reduce harm to potential victims. His proposed legislation would expand Indiana’s Disclosure of Security Breach Act to facilitate faster and more informative notification to consumers impacted by a breach. It also would add breaches of paper and handwritten records to the Act, as current law covers electronic records only.

Had the new legislation been in effect during this case, Beck could have faced increased penalties for improper data handling and disposal practices. It also would have enabled the state to hold Just the Connection, Inc. liable for the breach as well because Zoeller’s proposed legislation would cover “data collectors” in addition to “data owners.”

“The alarming rise in data breaches we’re experiencing on a global scale is putting countless Hoosiers at risk of identity theft, which can have absolutely devastating consequences,” Zoeller said. “Indiana’s laws must be updated to meet these crimes head on. The legislation I’ve proposed would close some loopholes in existing laws, and give the state more legal tools to combat irresponsible storage of personal or financial information, whether online or on paper."

more...
No comment yet.
Scoop.it!

Tips For Reducing HIPAA Violation Risks

Tips For Reducing HIPAA Violation Risks | HIPAA Compliance for Medical Practices | Scoop.it

The need to attend to data security in increasing exponentially as enforcement tightens and the risk of significant financial penalties for HIPAA violations looms. To that end, a new white paper by Core Security provides some guidance for keeping data safe and avoiding risks of compromised patient information.

As Health IT Outcomes earlier noted, PwC report investigating the state of healthcare compliance found there is still much progress to be made in healthcare compliance across the board, and HIPAA privacy and security remain the top compliance concerns. Penalties for violations are increasing and reputations can be damaged, not to mention the imminent start of privacy audits from the HHS Office for Civil Rights. Compliance officers are challenged to fill gaps in their policies and procedures and be ready to demonstrate compliance with HIPAA requirements.

The cost of breaches can be crippling for healthcare organizations. For example, the OCR fined two health organizations almost $2 million in the wake of the theft of laptops, while Parkview Health paid out $800,000 in HIPAA fines and agreed to institute a corrective plan of action after it was alleged that the institution was dumping sensitive records.

These types of violations aren’t going away, either. A Redspin Breach Report found there was a 138 percent rise in the number of healthcare records breached in 2013, affecting some eight million records.

The Core Security whitepaper, Attack Intelligence: The Key To Reducing Risk in Healthcare, is designed to help healthcare institutions avoid these costly incidents. As the study asserts, “HIPAA-covered entities need to both identify their risks and take steps to mitigate that risk once they become aware of it.”

And yet, recent research demonstrates few healthcare industry professionals have a solid understanding of their own risks. A survey conducted by Healthcare Information Security found OCR audits have resulted in an increase in risk assessments, but that those assessments are often not complete. The data revealed 63 percent of respondents reported a data breach in 2014, and almost 50 percent acknowledged a data breach affecting a business partner. One contributing factor to these figures was that fewer than half of the 200 healthcare organizations surveyed had a documented risk assessment and risk management strategy in place and only 40 percent said they had one in the works.

While most healthcare organizations are cognizant of the need for basic security tools in assessing risk, the whitepaper asserts they do not provide the critical type of information necessary to manage risk – “actionable attack intelligence about sensitive IT assets like the medical record application servers or the backend databases that hold ePHI.”

“Healthcare organizations are familiar with risk management,” said Eric Cowperthwaite of Core Security, “But they aren’t necessarily thinking about how they’re going to be attacked. You may have a vulnerability management program. But the question is ‘How do you know which vulnerabilities matter? How do you know which possible attacks are likely – or not?’”


more...
No comment yet.
Scoop.it!

Electronic data breach planning: 4 tips for reducing liability risk | Lexology

Electronic data breach planning: 4 tips for reducing liability risk | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

There is no doubt that electronic data breaches are a hot topic. The recent breach of Morgan Stanley’s customer data is a prime example and chilling reminder that businesses, no matter the amount of security measures, are at risk of an electronic data breach. Indeed, as nearly every state has passed its own set of unique electronic data breach laws, electronic data breaches are becoming a much larger liability concern for companies, in terms of both financial and reputational harm.

In 2014, Kentucky passed KRS 365.732 and joined 46 other states in quantifying and qualifying what constitutes a data breach and the obligations that arise from a breach. Like most states, Kentucky’s law does not include breaches of financial or health information which are covered under federal law in the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Because of this increased liability, businesses should be proactive in trying to manage risk in the event a data breach occurs.

Is My Company at Risk for an Electronic Data Breach?

While the news has focused on large electronic data breaches of major retailers, electronic data breaches of a smaller scale are much more common. Even more problematic may be the reputational loss of consumer trust and confidence resulting from an electronic data breach. Any business or organization that electronically collects and/or stores personal information is susceptible to a breach. Consider the following five questions:

  1. Do you have customers’ or potential customers’ information stored electronically?
  2. Do you store or transmit electronic files with customers’ information?
  3. Do you have client information stored on a cloud or with a third party vendor?
  4. Do you process credit card transactions?
  5. Do you have wireless networks in your office?

If you answered yes to the first question, you are at risk of an electronic data breach. Answering yes to any of the questions that follow greatly increase your risk for a data breach.

What is a Data Breach?

In general, a data breach occurs when there is an unauthorized disclosure of personal information. There is no model rule for what constitutes a breach of someone’s personal information and each state can define what constitutes personal information.

In Kentucky, personal information is defined as a person’s name coupled with a social security number, driver’s license number, or credit/debit card or account number and passcode. However, some states define personal information much more broadly. For example, Texas defines personal information as any “sensitive” information.

A data breach is commonly thought of in context of computer hacking, however, data breaches can occur in a number of more innocuous ways. In fact, most statutes are defined so broadly that a data breach occurs if an employee loses his/her cellphone containing personal information of a customer. As such, most companies today, no matter size, are at risk.

Decreasing Your Company’s Electronic Data Breach Liability

Planning for and proactively adopting preventative measures in the event of an electronic data breach is the most important thing you can do to protect against potential liability. Being prepared can save you time, likely a significant amount of money, and any reputational harm associated with the data breach.

Most state laws require actual damages to bring a claim for a breach of data. Not surprisingly, in reviewing cases in which customers brought a claim for a breach of data, damages were less or non-existent when companies reacted and notified their customers quickly of the breach. (See generally Giordano v. Wachovia Sec., 2006 U.S. Dist. LEXIS 52266, Civ. No. 06-476JBS, 2006 WL 2177036 (D.N.J. July 31, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006).

4 Tips for Reducing Liability Risk

While the type and amount of data a company collects or has access to will lead to varying plans, the following are some general tips that all businesses should know:

#1: Know what type of information is electronically stored. If a breach occurs, the information compromised may not be considered “personal information” under certain state laws. In addition, many state laws do not require action or impose liability if data is compromised that is encrypted. Further, take a hard look at the personal information you are collecting and determine whether such information is necessary to serve and know your customer. If the answer is no, not collecting that data would reduce your liability, as well as save valuable server or cloud space.

#2: Know where that information is stored. Most businesses use “clouds” to store their data on a remote server. Clouds offer different types of data storage, services and security levels. Many cloud vendors actually rely on subcontractors to hold their customers’ information. In many cases, these subcontractors are located overseas making any attempt to seek indemnification for a breach very difficult and expensive.

#3: Be ready to react. Have your notification template in place to communicate and know who is making that communication if a data breach occurs. Figuring out what should be done and communicated and who should lead this charge should occur before a breach occurs. Not having a plan of action will delay a reaction and likely lead to increased liability and reputational harm.

#4: Test your systems and your plan. A data breach does not have to mean that you breached the duty of care to your customers. Showing that you are using the best in class systems to prevent a breach and that you test your systems for a breach in a consistent manner, will assist in showing that you are meeting your duty of care owed to your customers.

Not only will the steps above help in limiting any liability your company may face if a data breach occurs, but it will also likely allow you to identify potential gaps in your data security, therefore, preventing a breach from occurring. Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is important.

If you do believe customer data has been compromised, you should contact an attorney immediately to help you understand what duties you may have to notify and further protect your customers’ information. As stated above, reacting quickly can help reduce any liability that may be caused by the breach.

more...
No comment yet.
Scoop.it!

Mega-Breaches: Notification Lessons

Mega-Breaches: Notification Lessons | HIPAA Compliance for Medical Practices | Scoop.it

When preparing their data breach notification strategies, healthcare organizations must guard against focusing solely on HIPAA compliance and neglecting to consider various state laws, says privacy and security attorney Brad Rostolsky.

"State laws are often not something that folks think about immediately ... but it should be right up there with HIPAA in terms of what we're thinking about," he says in an interview with Information Security Media Group.


For instance, less than a week after health insurer Anthem Inc. publicly disclosed on Feb. 4 that it had suffered a breach affecting millions of former and current health plan members in numerous states, 10 state attorneys general wrote a letter to the insurance company expressing "alarm" that Anthem hadn't yet communicated with those affected.

Under federal HIPAA regulations, the U.S. Department of Health and Human Services and victims must be notified about a breach affecting 500 or more individuals within 60 days of the discovery of the breach. But that breach notification timeline is much shorter in many states. And the definition of what constitutes a health data breach in some states also differs from what HIPAA says, Rostolsky explains.

"If you know you are only dealing with patients or individuals in two to five states, it's probably worthwhile to get a sense of what the obligations are under those states' laws," he says. "But it's the larger institutions and larger businesses that deal with folks across the country that have a bigger challenge. The last thing any client wants to hear is '50 state survey,' but generally speaking, it's not a bad idea to make sure the folks you're turning to for advice [about breaches] are aware of what all the states require."

The bottom line, Rostolksy says, is: "Anytime you're dealing with an incident that could be a breach under state or federal law, it's really important that you're reacting quickly."


more...
No comment yet.
Scoop.it!

States ramp up data security laws

States ramp up data security laws | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations not only must heed federal data security laws; they also have state laws to keep in mind. And a growing trend has states making these regulations tougher than ever. One state that currently has no laws requiring organizations to implement certain data security protections has proposed legislation that would hold entities fully responsible for failing to safeguard consumer data.  

 
As businesses continue to demonstrate grievous security failings, New York state has decided to join a growing number of states that have chosen to ramp up their data security laws. The announcement last week from the state's Attorney General Eric T. Schneiderman comes on the heels of a reportlast year, finding that nearly 23 million New Yorkers have had their personal records compromised since 2006. 
 
New York entities are only required to notify individuals of a data security breach if "private information" has been compromised. Private information, as state officials pointed out, has a very narrow definition and does not include email addresses and passwords; medical data and health insurance data, among other items. 
 
The proposed law would broaden the definition of private information to include email addresses, security questions and medical and health insurance data. The law would also establish a safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. 
 
In 2013 – a "record-setting" breach year for New York – these data security breaches cost organizations a whopping $1.37 billion statewide. Some 40 percent of those breaches were hacking related, according to a 2014 N.Y. Attorney General report
 
What's more, healthcare organizations proved to be the biggest offenders, with healthcare data breaches being responsible for compromising the largest number of records of New Yorkers since 2006. "As the healthcare industry moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely susceptible to data loss, particularly through lost or stolen electronic storage equipment," Schneiderman wrote in the report.  
 
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," said Schneiderman in a Jan. 15 press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
 
One of the state's biggest data breaches ever reported was announced by the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which compromised the health records of some 1.7 millionemployees, vendors and patients. 
 
In light of the increase in scope and frequency of these data security breaches, just last month, Oregon's AG Ellen Rosenblum called on the state's legislature to update and toughen Oregon's data breach law, which does not protect medical or health insurance data. Indiana's AG also in December proposed similar legislation that would tighten data security laws in the state. 


more...
No comment yet.
Scoop.it!

Five common mistakes and how to avoid them for 2015 HIPAA audits

Five common mistakes and how to avoid them for 2015 HIPAA audits | HIPAA Compliance for Medical Practices | Scoop.it

2014 saw a rise in data breaches and HIPAA compliance failures within the healthcare industry. The Office for Civil Rights (OCR) takes privacy and security seriously, and more organizations have been fined for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA). This year, the OCR will use the HIPAA audit program to randomly assess healthcare entities and business associates for compliance with the HIPAA privacy, security and breach notification rules. Here are five mistakes to avoid:  

  1. Failure to keep up with regulatory requirements

Gain a better understanding of specifications for standards as “required” versus “addressable.” Some covered entities must comply with every Security Rule standard. Covered entities must determine if the addressable section is reasonable after a risk assessment, and, if not, the Security Rule allows them to adopt an alternative measure. Be sure to document everything, particularly since the OCR may look at encryption with audits this year.  

  1. No documented security program

The OCR wants to know how you implement a security risk assessment program, so be sure your organization has a documented security awareness program. Once you know the requirements, assess your environment and your users. Does your organization have a security and compliance program in place? How well is it implemented? Who is involved? How often do you communicate? Everyone in your organization should be held responsible for ensuring the safety of data and following proper procedures. Have a plan and a point person in place, and ensure your compliance and security teams talk to each other. Create a committee with stakeholders and clear responsibility, and make sure the plan is documented, communicated and enforced across the organization.

  1. A reactive approach to audits

Once you establish a security program, proactively monitor security and performance indicators, as OCR audits will focus heavily on breach plans and the controls you have in place to protect them. Auditors will look for access to critical group memberships, so make sure you’re auditing and reporting on user activity – including your privileged users. Auditors are increasingly more interested in this area, due to the recent increase in insider incidents.

  1. Assumptions regarding business associates agreements

Contractors and subcontractors who process health insurance claims are liable for the protection of private patient information. Make sure you have an updated business associate agreement in place, and ensure the chain of responsibility is documented, agreed upon, and reviewed frequently by both parties. You can find sample contracts offered by the OCR to help you through this process. 

  1. A checkbox approach to compliance

Regulators want to discontinue the checkbox approach to compliance in favor of a risk-based security approach. Compliance and security must go hand-in-hand, and organizations will benefit from incorporating this mindset across both teams. Strong security measures make it easier to meet compliance regulations. By adopting an organizational self-discovery approach, you will have a higher level of visibility and awareness of internal issues, and achieve a more resilient business process and the next level of organizational maturity.


more...
No comment yet.
Scoop.it!

Why Healthcare Providers Need to Take HIPAA Risk Assessments Seriously

Why Healthcare Providers Need to Take HIPAA Risk Assessments Seriously | HIPAA Compliance for Medical Practices | Scoop.it

Whether your organization falls under HIPAA, FISMA or PCI DSS you need to do a risk assessment. Yes it’s a good thing to do self-assessment but in order to prepare for a full compliance audit it’s important to get an independent outside consultant to perform this critical assessment.

I have worked in and audited many organizations that all too often wanted to do the minimum and were completely unaware of their full responsibility to meet their compliance. They also in many cases did not have the internal staff or expertise to do a high quality assessment.

[ Three simple steps to determine risk tolerance ]

To begin, let’s look at HIPAA. From hhs.gov, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Security Rule still focuses on individual’s health records but specifically focuses on ePHI, Electronic protected health Information. Under the Security Rule, covered entities are required to evaluate risks and vulnerabilities in their environments and to implement security controls to address those risks and vulnerabilities.

Let’s define compliance vs security. As I recently stated in a quote I made in the Nov 17 issue of Fortune, “How Frank Blake kept his legacy from being hacked”, “Compliance is backward-looking and static, security is forward-looking, dynamic, and intelligent.” Compliance is the foundation for security, it’s the minimum.

You can’t be secure if you are not compliant! A risk assessment will achieve compliance and actually make your organization more secure. The HIPAA Risk Assessment is required by law for HIPAA compliance, it’s not optional.
NIST 800-66 Appendix E Risk Assessment Guidelines

Scope the assessment. Where is the ePHI? Servers, Workstations, smartphones, Laptops, backups, cloud backup?
Gather information. The conditions which ePHI is created, received, maintained, processed or transmitted.
Identify realistic threats.
Identify potential vulnerabilities. Save
Assess current security controls.
Determine the likelihood and the impact of a threat exercising a given vulnerability.
Determine the level of Risk.
Recommend security controls.
Document the risk assessment results.

I have worked in many technical roles as well as performed many compliance audits as a consultant; we keep seeing many of the same things. No physical access controls, no vulnerability management, no PEN testing, no data loss prevention on mobile devices, no backups or backups not tested or not encrypted, account management issues, weak passwords or no separation of duties just to name a few. Just take a look at the Verizon data breach investigations report, it states most attacks are not highly difficult. Why? Because they involve the things required by compliance and too many organizations are weak on compliance. Besides the HIPAA law, why do we need to do risk assessments?
The HIPAA Risk Assessment

From hhs.gov RISK ANALYSIS Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

The following questions adapted from NIST Special Publication (SP) 800-66 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
What are the human, natural, and environmental threats to information systems that contain e-PHI?


Notice they leave some room for reality by stating the sample questions are not prescriptive but rather issues an organization might consider in implementing the Security Rule.

NIST 800-66 states it this way:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.

A risk assessment methodology, based on NIST SP 800-30, is included in Appendix E of this document.
Are there any prior risk assessments, audit comments, security requirements, and/or security test results?
Is there intelligence available from agencies, the Office of the Inspector General (OIG), the US-CERT, virus alerts, and/or vendors?
What are the current and planned controls?
Is the facility located in a region prone to any natural disasters, such as earthquakes, floods, or fires?
Has responsibility been assigned to check all hardware and software, including hardware and software used for remote access, to determine whether selected security settings are enabled?
Is there an analysis of current safeguards and their effectiveness relative to the identified risks?
Have all processes involving EPHI been considered, including creating, receiving, maintaining, and transmitting it?

There are too many documents and rules and regulations, so sorting it all out can be confusing, but to do the actual Risk Assessment you must look to NIST 800-66 Appendix E.

Summary

With the federal mandate to put more healthcare records online, data breach after data breach spanning healthcare, military, retailers, and universities have become common. One must ask the question, what’s the root cause?

According to Leon Rodriguez, Director Office Civil Rights, US department Health and Human Services, since the HITECH Act, HIPAA complaint traffic geometrically increased. In the last three years, there have been over 70,000 HIPAA violation complaints. Pre-HITECH, the maximum penalty per year per provision violated was $25,000. Now it’s $1.5 million.

Before the new rules, willful neglect had to be proven to pursue any type of penalty. Any lesser measure of culpability was not actionable through penalties. But consumers need confidence that there is an effective enforcement entity if they are going to feel comfortable being forthright in sharing sensitive health information. The HIPAA penalties applied were due to:

Failure to have adequate HIPAA compliance policies and procedures as administrative safeguards.
Failure to complete HIPAA security training for their staff.
Failure to implement access controls as physical safeguards.
Failure to encrypt the information on the device or an equivalent protection.

In 2009, the breach notification for unsecured protected health information was enacted, the U.S. Department of Health and Human Services' database of major breach reports (affecting 500 or more people) has tracked 944 incidents affecting personal information from about 30.1 million people. There are also many more incidents of smaller-scale breaches (less than 500 people per incident). In 2012, HHS received 21,194 reports of smaller breaches affecting 165,135 people, according to the department's most recent report to Congress. Similar numbers were reported in 2011. In all, data breaches cost the industry $5.6 billion each year, according to the Ponemon Institute.

It’s obvious that we are pushing more healthcare data out than we can possible safely secure. We see basic compliance failures across all industries. CEOs need to take the lead and put policies, and processes in place that assure that 100% of the compliance objectives are met, this includes the mandated HIPAA risk assessment (no matter how small the healthcare practice) and at that same time start focusing on proactive, intelligence driven security monitoring and response. We can no longer do some compliance or some security or work in silos, our adversaries are well organized and funded and will stop at nothing to take what we are unable to properly secure for their personal gain.

We must always remember that “we must think of every way our data can be compromised, while a cyber-criminal only needs to think of one!"

more...
No comment yet.
Scoop.it!

FTC suggests stronger data privacy law, HIPAA not enough for health data

FTC suggests stronger data privacy law, HIPAA not enough for health data | HIPAA Compliance for Medical Practices | Scoop.it
This week the Federal Trade Commission published a report focused on privacy and security issues related to the massive Internet of Things (IoT) trend, which includes the growing number of connected health devices. The report summarizes the discussions that took place at an FTC-hosted workshop in November 2013, and it also includes recommendations for the industry from FTC’s staff, which they put together based on the workshop’s discussion.

The workshop’s health panel included five people: Scott Peppet, a professor at the University of Colorado Law School; Stan Crosley, director of the Indiana University Center for Law, Ethics, and Applied Research in Health Information, and counsel to Drinker, Biddle, and Reath; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; Jay Radcliffe, a senior security analyst for InGuardians; and Anand Iyer, president and COO at WellDoc. A full transcript of the entire workshop can be found here (PDF) — the health-related discussion starts on page 164.

Notably, one FTC Commissioner — Jeffrey Wright — filed a dissenting opinion and argued that the FTC should not have published recommendations for IoT companies based on one workshop and public comments.

“If the purpose of the workshop is to examine dry cleaning methods or to evaluate appliance labeling, the limited purpose of the workshop and the ability to get all relevant viewpoints on the public record may indeed allow the Commission a relatively reasonable basis for making narrowly tailored recommendations for a well-defined question or issue. But the Commission must exercise far greater restraint when examining an issue as far ranging as the ‘Internet of Things’ – a nascent concept about which the only apparent consensus is that predicting its technological evolution and ultimate impact upon consumers is difficult. A record that consists of a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings, however well-intended, is neither likely to result in a representative sample of viewpoints nor to generate information sufficient to support legislative or policy recommendations,” Wright wrote.

He goes on to argue the FTC should have researched a rigorous cost-benefit analysis prior to offering its recommendations — and not just acknowledge in passing that the FTC recommendations would carry potential costs and benefits.

The report notes that, in general, IoT brings up a number of security risks for consumers.

“IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions. Others noted that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.”

Some of the FTC staff’s recommendations include a push for Congressional action related to general data security regulation — not specific to IoT — and a broad-based approach to privacy legislation: “Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices,” the write.

While it is pushing for a broad-based law, the agency specifically cited health-related data and that HIPAA doesn’t cover all health-related data.

“Workshop participants discussed the fact that HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by certain entities, such as a doctor’s office or insurance company,” the wrote. “Increasingly, however, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it. Consistent standards would also level the playing field for businesses.”
more...
No comment yet.
Scoop.it!

HIPAA Enforcement: Waiting for Ramp Up

HIPAA Enforcement: Waiting for Ramp Up | HIPAA Compliance for Medical Practices | Scoop.it

Some privacy and security experts are concerned that the Department of Health and Human Services' Office for Civil Rights isn't taking bold enough action in its promised efforts to step up HIPAA enforcement. They cite ongoing delays in the startup of OCR's next phase of federal HIPAA compliance audits, as well as the relatively small number of OCR HIPAA enforcement settlements in 2014 involving financial penalties.


During a Jan. 13 media briefing, OCR Director Jocelyn Samuels said her office is planning to launch its next phase of HIPAA compliance audits "expeditiously," but offered no timeline as to when (see HIPAA Audits Are Still On Hold). She said a new protocol for the next round of audits, taking into account new requirements in the HIPAA Omnibus Rule, had yet to be developed.

Last year, OCR had said that the next phase of HIPAA audits would begin in the fall of 2014 with the audits of about 350 covered entities, followed by audits of approximately 50 business associates to be conducted in early 2015. In recently acknowledging ongoing delays in the resumption of audits, OCR officials haven't said if those target numbers are still part of the agency's audit plans.

"The delay [in audits] could be like the 'boy who cried wolf,'" says Tom Walsh, a president of security consulting firm Tom Walsh Consulting. "After a while, organizations begin to think, 'It will never happen.' Or 'It will never happen to us'."

Security expert Brian Evans, senior managing consultant of IBM Security Services, notes: "Any delay in random audits allow covered entities and business associates to justify reallocating their focus and efforts in areas other than protecting information and addressing HIPAA requirements. Conversely, an active audit program serves as an additional motivator for CEs and BAs associates to protect information more effectively. "

Reasons for Delay

A number of factors may be contributing to the delay in OCR resuming its audit program. For example, OCR has had a number of senior leadership changes in recent months, including Samuels joining in July to replace former director Leon Rodriguez. At the same time, OCR resources are likely being squeezed as more HIPAA breaches and complaints are filed and investigated by regional offices. On top of that, a delay in a technology roll-out to help automate the collection of audit-related documentation from covered entities and business associates is also likely a culprit in the stalled audit effort.

But the delay, whatever the reason behind it, could hamper efforts to boost compliance, some observers say.

"I definitely think the continuing delay is a bad thing," says privacy expert Kate Borten, president of consulting firm The Marblehead Group. "I'm disappointed, but not surprised, at the ongoing delay in OCR HIPAA audits. Unfortunately, it will be seen as taking the pressure off compliance efforts at some CEs and BAs - and they may be the most likely to need it.

"While many organizations are committed to continually improving their programs, plenty of others are oblivious to their obligations, such as to perform risk assessments and have a breach response plan. Until a robust audit program is fully implemented, I predict industry compliance will remain spotty."

Privacy attorney Adam Greene, of the law firm Davis Wright Tremaine, says that even though the audits appear to be in limbo, covered entities and business associates are taking a big risk if they use that delay as an excuse to slack off.

"Covered entities and business associates should not take too much of a sigh of relief based on the audit program delays," he says. "While the audits are important, the far larger enforcement risks continue to come from information security breaches and patient complaints.

Greene says the biggest question he has about the delayed audit program "is how many of the next round of audits will be narrowly focused desk audits and how many, if any, will be comprehensive onsite audits. OCR has referenced that they intend to do onsite audits as resources permit, but they have provided mixed signals regarding whether they currently have the resources allocated to perform such on-sites," he says.

Evans says OCR should widen its pool of covered entities and business associates that are audited.

"I would like to see a larger number of organizations audited or, minimally, surveyed. Increasing the candidate pool heightens organizational readiness to pursue and maintain compliance," he says. "Offsite 'desk audits' can be a cost-effective way of gathering compliance data and cover a wider population in the process. It also provides a more representative sampling of data for future OCR audits."

Three Monetary Penalties in 2014

When the HIPAA Omnibus Rule went into effect in September 2013, OCR had pledged to ramp up its HIPAA enforcement activities. Anticipated action included a resumption of the audit program as well as more investigations that could result in financial sanctions for HIPAA violations.

But OCR announced only three resolution agreements in 2014 involving monetary penalties for cases involving violations of HIPAA. The biggest enforcement action was in May 2014, when OCR announced a record $4.8 million settlement in with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.

Walsh says he believes it's unlikely that OCR will ramp up the number of penalties it issues this year.

"I heard ... Samuels state that the OCR is interested in voluntary compliance. Enforcement penalties and corrective action plans are the tools the OCR will use - when necessary to obtain compliance when it is obvious that nothing else will work," he says.

"Provider healthcare organizations are facing some tough budget issues starting in 2015. Imposing stiff fines for noncompliance is like the bank charging for overdrafts on insufficient funds in a checking account."

Greene, the attorney, says it's still too soon to tell how OCR's enforcement priorities may change under Samuels's leadership. "Once we have 2015 behind us ... we will have a better sense of whether OCR is increasing the number of financial settlements and how, exactly, the audit program fits into OCR's enforcement efforts. "

Enforcement Arsenal

Samuels told reporters Jan. 13 that OCR expects to receive about 17,000 HIPAA complaints this year, and it will continue to use its "arsenal" of enforcement tools, including resolution agreements, corrective action plans, and financial settlements, to shine a spotlight on "high impact cases," including breaches and other HIPAA investigations that show "egregious" and "systemic" compliance concerns.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," Samuels said.

more...
No comment yet.
Scoop.it!

HIPAA Audits Are Still on Hold

HIPAA Audits Are Still on Hold | HIPAA Compliance for Medical Practices | Scoop.it

`The unit of the Department of Health and Human Services that enforces HIPAA still has plenty of work to do before it can launch its long-promised next round of HIPAA compliance audits, as planned for this year.

The HHS Office for Civil Rights has yet to develop a revised protocol for conducting the audits, OCR Director Jocelyn Samuels revealed during a Jan. 13 media briefing.


Samuels declined to offer a timeline for when OCR plans to resume its HIPAA audits, which Samuels says will include covered entities as well as business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule.

Early in 2014, OCR officials said the agency expected to resume compliance audits of covered entities in the fall of 2014, later expanding the program to include audits of business associates based on those vendors identified by covered entities in pre-audit surveys.

Then in September, OCR officials said the audit launch was stalled because of a delay in the rollout of technology to collect audit-related documents from covered entities and business associates.

In her comments Jan. 13, Samuels did not offer an explanation for the prolonged delay in resumption of HIPAA audits.

"OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR," Samuels said. The audits "will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews; provide a proactive and systematic means to assess and improve industry compliance; enhance industry awareness of compliance obligations; and enable OCR to target its outreach and technical assistance to identified problems and to offer tools to the industry for self-evaluation and prevention. Organizations should continue to monitor the OCR website for future announcements on the program."

In 2012, OCR conducted a pilot HIPAA audit program for 115 covered entities that was carried out by a contractor, the consulting firm KPMG. It also issued an audit protocol offering a detailed breakdown of what was reviewed. OCR is revising the protocol to reflect changes brought by the HIPAA Omnibus Rule.

Rules In the Works

In addition to the pending audits, other HIPAA-related activities under way at OCR for 2015 include:

  • A final version of a proposed rule HHS issued last January to permit certain covered entities, including state agencies, to disclose to the National Instant Criminal Background Check System the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health;
  • An advanced notice of proposed rulemaking related to a HITECH Act mandate for HHS to develop a methodology to distribute a percentage of monetary settlements and penalties collected by OCR to individuals affected by breaches and other HIPAA violations;
  • A possible request for additional public input on OCR's proposed accounting of disclosures rule making. Samuels says OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule.

In a statement provided to Information Security Media Group, Samuels noted, "The [accounting of disclosures] rulemaking is still listed as a long-term action on our last published regulatory agenda. We are exploring ways to further solicit public input on this important issue."

OCR in May 2011 issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial "access report" provision. As proposed, the access report would need to contain the date and time of access to electronic records, the name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. The proposal would also provide patients with the right for an accounting of disclosures of electronic PHI made up to three years prior to the request.

Other Enforcement Activities

OCR also has a number of other enforcement activities planned for 2015, Samuels said in the Jan. 13 briefing.

"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," she said. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."

OCR also expects to provide policy clarification for a variety of topics, including cloud computing and the "minimum necessary" rule, which HHS says is based on the premise that protected health information should only be used or disclosed if it is necessary to satisfy a particular purpose or carry out a function.

"We will also continue dialogues with our stakeholders about issues on which they would like additional interpretation," Samuels says.


more...
No comment yet.
Scoop.it!

HIPAA privacy and public health emergency situations

HIPAA privacy and public health emergency situations | HIPAA Compliance for Medical Practices | Scoop.it

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.


more...
No comment yet.
Scoop.it!

CHIME chairman calls for mixed approach to security

CHIME chairman calls for mixed approach to security | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations need a variety of strategies to address security threats, according to Charles Christian, CIO at Columbus, Georgia-based St. Francis Hospital and new chairman of the College of Healthcare Information Management Executives (CHIME).

That includes technology, education, policy and best practices, he says, in an interview with HealthcareInfoSecurity.

"We have to be diligent and constantly learn about what might occur so we can prepare for that," Christian says. "It's not just one or two things, it's a variety of things that we must do."

Beyond policy, it involves ensuring that employees are education about security, and auditing "to make sure the education is sticking," he says. On the technology side, it includes network access controls, firewalls and encryption.

CHIME is working with the Office of the National Coordinator for Health IT on interoperability, security and other issues.

"I'm really glad the ONC is looking at this," Christian says. "With their office's attention on this, it really raises the level of importance of cybersecurity up where it needs to be."

In an attempt to close a gap its members found in organizations focused on cybersecurity, CHIME created its own last summer--the Association for Executives in Healthcare Information Security, he explains.

The new organization will be focused on "supporting the professional development and peer-to-peer needs of CSOs," according to CHIME.

Small organizations, in particular, often can't afford to have a dedicated security person. To that end, the new organization is trying to provide needed security education so that such organizations don't have to rely on system or application vendors for this knowledge, Christian says.

Security experts foresee even more cyberattacks on healthcare organizations in 2015, especially increases in phishing and ransomware attacks.

Jeff Bell, HIMSS privacy and security committee chair, urges organizations to heed the cyberthreat intelligence provided by the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and others.


more...
No comment yet.
Scoop.it!

N.J. Law Requires Insurers to Encrypt

N.J. Law Requires Insurers to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .

The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.


The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to "end user computer systems" and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.

Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.

Different than HIPAA

"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.

The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.

"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."

Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."


more...
No comment yet.
Scoop.it!

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business | The National Law Review

Indiana Attorney General Enforces HIPAA For First Time – Another Lesson for Small Business | The National Law Review | HIPAA Compliance for Medical Practices | Scoop.it

As we reported, state Attorneys General have authority to enforce the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), pursuant to the authority granted under the Health Information Technology for Clinical and Economic Health (HITECH) Act. Shortly after announcing plans to seek legislation requiring stronger protections for personal and financial information, Indiana Attorney General Greg Zoeller reached a settlement with a dentist in his state, Joseph Beck, for improperly dumping patient records in violation of state law and HIPAA. The dentist agreed to pay $12,000 in fines.

According to news reports, over 60 boxes containing years of dental records pertaining to over 5,600 patients, and including very sensitive personal information, were found in a dumpster. Apparently, the dentist hired a third party vendor to dispose of the records; that vendor likely was a business associate under HIPAA and, if so, also subject to the HIPAA privacy and security rules.

For small medical or dental practices, as for other professional service businesses such as lawyers, accountants, and insurance brokers, data security can be both daunting and expensive if there is a breach. Like many businesses, small businesses rely on third party vendors to perform certain activities. When those activities involve personal information of the business’ customers, the business owner should be paying more attention. Ask the vendor about what steps it has in place to protect information, does it have a written information security plan, it is licensed, does it have insurance in the event of a breach, does it train employees about data security, and, yes, how does it dispose the records and data it is being asked to handle. In many states, businesses are required to have language in the service agreements with vendors about data security when the vendors are going to handle personal information. There is a similar provision under HIPAA for business associates.

It is troubling to see that sensitive records are still being found in dumpsters even after the many widely-publicized data breaches. But, as here, the owner of the records may not be able to avoid responsibility by shifting it to the vendor.


more...
No comment yet.
Scoop.it!

Survey: Charging patients for EHR access may violate HIPAA

Survey: Charging patients for EHR access may violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Dive Brief:
  • A survey of healthcare providers has revealed that as much as 25% of those who charge patients for EHRs may be violating HIPAA rules by doing so, according to a report released by the American Health Information Management Association.
  • While it is permitted to charge patients a "reasonable, cost-based fee" to access their electronic medical records, the survey revealed that many providers simply mimic their individual state's photocopy policy for public records requests, charging around $1 per page. Because the fee being charged to the patient is not related to the cost of providing the record, it constitutes a violation of HIPAA policy, the report stated.
  • "Regarding charges for electronic and paper copies of records, more than half (52.6%) of respondents indicated that they charge patients for electronic copies of their medical records, and nearly two-thirds (64.7%) reported that they charge patients for paper copies of their medical records," the report stated. "Charges for electronic copies varied from a flat fee for a device to per-page fees or some combination of the two, and charges for paper copies were generally by page, with 65% reporting that they charged less than $1.00 per page. Nearly one in four respondents (23.6%) commented that they follow their state's rates for copies. Following the state rates would suggest that the fees are not uniquely based on the cost to the facility. This finding would appear to be inconsistent with HIPAA and HITECH requirements that patients may only be charged a 'reasonable cost-based fee' for copies of their medical records."
Dive Insight:

There is no doubt that the implementation of EHRs is one of the most expensive projects to hit the healthcare industry since its inception, and it's obvious that the cost of implementation is going to eventually be picked up by the consumer. Taxpayers are already footing the bill for the $28 billion already appropriated by Congress to facilitate EHR implementation through its meaningful use program, but that still doesn't cover all of their EHR expenses.

All that being said, what's at issue here is a patient's right to obtain his or her medical records. The whole point of the paperless revolution is to streamline health information and reduce costs associated with paper-only records. By that logic, HIPAA requirements are reasonable. They simply state that providers don't have the right to charge patients unreasonably to get electronic copies of their records.

Now, $1 a page (or even less) may not sound unreasonable on the surface, but with medical advances transforming many fatal conditions into chronic conditions, patients are living longer with proper treatment. It's not uncommon for a cancer patient in remission to have hundreds of pages in their medical records. And in the age of the ACA, many patients are changing doctors and plans, necessitating transfer of the EHRs. Is it fair to charge several hundred dollars for a process that is equivalent in many cases to pointing, clicking and sending an email?


more...
No comment yet.